This resolves debian bug: https://bugs.debian.org/913104
lsb_release is only used by Firefox to add extra information to crash reports,
and Tor Browser is built with --disable-crashreporter.
Therefore, AppArmor denying execution of lsb_release should be a no-op,
and we can silence the corresponding log message.
Without this, LD_LIBRARY_PATH is not passed to these processes, and then:
- Tor Browser cannot load libmozsandbox.so
- Tor Browser 9.0a6 does not start correctly:
/usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.23' not
found (required by /usr/local/lib/tor-browser/libxul.so)
… while it should use its own copy of libstdc++.so.6.
It's 2019. Users want to watch videos in Tor Browser. Having to edit files and
run commands as root is not a realistic expectation for Tor Browser users.
Before Firefox 60, Web Content processes were instances of a dedicated
binary (plugin-container). But since Firefox 60, the Web Content processes are
instances of the very same executable as the parent Firefox process,
which makes it impossible to apply a different AppArmor policy to:
- Web Content processes, that should ideally be more strictly confined
- the new parent Firefox process that's spawned while restarting
during a self-upgrade of Tor Browser
And indeed, we had to drop this distinction with commit
678d083491.
As a result, the new parent Firefox process that's spawned while restarting
during a self-upgrade of Tor Browser runs under the torbrowser_plugin_container
profile, i.e. more strictly confined than it should be, which breaks all kinds
of things.
A Firefox release manager tells me there's no plan to give Web Content processes
a dedicated binary again; let's give up and go back to confining the entire
browser under one single AppArmor profile, and rely on Firefox' own sandboxing
systems to protect itself against rogue Web Content processes.
5 years back Debian introduced apt as the new “pleasant for end users” tool over apt-get. The newer apt command works on all currently supported Ubuntu and Debian releases. See https://itsfoss.com/apt-vs-apt-get-difference/
